Hi, I am trying to build a capture filter on some traffic which contains VLAN tags. The frames happen to contain two VLAN tags. I don't really care what VLANs they are, as I am mainly interested in the destination IP and port number. If I use this capture filter below, I dont see any traffic:
However, if I change my filter to this:
everything works fine. Does anyone know the difference between using Thanks |
So, the difference between your two commands is: The command:
shows only VLAN tagged traffic to and from host 192.168.0.1. The command:
runs actually just this command (due the the special meaning of &&):
The result of the
BTW: If you want to use
This is identical to:
Regards (Presumably, no vlan traffic is going to or from 192.168.0.1, so a filter that tests for both will see no packets, but a filter testing only for VLAN frames will see packets. From the point of view of libpcap/WnPcap, which both tcpdump and Wireshark use for capture filters,
(21 May '12, 09:55)
Guy Harris ♦♦
1
Kurt, thanks for your response. this makes perfect sense now. So although I was seeing traffic which contained vlan tags, the filter by host wasn't actually getting applied... gotcha! Incidentally, I had a few more attempts on the filter for packets with multiple vlan tags and I think I got it working. This is what I ended up with - tshark -i eth1 "vlan and (vlan and host 192.168.0.1)" Thanks again Gian
(23 May '12, 07:57)
Gian Sartor
Gian,
you don't need vlan twice. This should be equivalent to your command:
(23 May '12, 08:13)
Kurt Knochner ♦
2
Kurt,
Will look for an IP address after TWO vlan headers (ie Q-in-Q), which is different from what happens when using the vlan directive once. As Gian said: "I had a few more attempts on the filter for packets with multiple vlan tags" :-) (yes, my first reaction was also: "Hey, you don't need two vlan directives"!)
(23 May '12, 08:19)
SYN-bit ♦♦
Ah, good catch :-) Thanks for the hint...
(23 May '12, 08:31)
Kurt Knochner ♦
|